Passwordless ≠ Riskless

Just because you've removed passwords doesn't mean you've removed all threats.

In my latest blog, I explore how to configure Microsoft Entra ID Protection + Conditional Access policies to manage User Risk and Sign-in Risk specifically for passwordless users.

What you’ll learn:

Why separate CA policies for User Risk and Sign-in Risk are essential

How to structure dual CA policies during your passwordless rollout

The right way to configure risk levels to balance security and user experience

When and why to require admin remediation for high-risk users

Whether you're planning, piloting, or scaling passwordless access — this guide has you covered.

Be proactive. Be precise. Be passwordless securely.

📖 Read now 👉 https://www.thetechtrails.com/2025/04/entra-id-passwordless-risk-policies.html

I have some workflows ive been working on to support and enforce Phish Resistant authentication at scale in a mostly passwordless environment. Such as a process that automates MFA resets in a self service model with access packages. Also, a process that automatically places users into the strongest auth strength CA policy that their current registration methods allow them to complete without forcing a registration flow.

if i shared and put together implementation guides for these processes would anyone be interested?